<html>
<head><meta charset="utf-8"><title>cargo-audit version resolution bug · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html">cargo-audit version resolution bug</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="222110293"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222110293" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222110293">(Jan 08 2021 at 18:48)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> we have a new SmallVec vulnerability, but cargo-audit fails to flag it, even though CI has passed for the advisory. I'm investigating the cause right now. TOML here: <a href="https://github.com/RustSec/advisory-db/pull/552">https://github.com/RustSec/advisory-db/pull/552</a></p>



<a name="222111255"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222111255" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222111255">(Jan 08 2021 at 18:56)</a>:</h4>
<p>The version resolution doesn't appear to be the cause; I've simplified it all the way to <code>patched = ["&gt; 1.6.1"]</code>, removed all other fields, and it's still not triggering. Both on <code>cargo-audit</code> 0.12.1 and 0.13.1</p>



<a name="222111694"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222111694" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222111694">(Jan 08 2021 at 19:00)</a>:</h4>
<p>The reporter says it works for them, while for me and <code>Vecr#2553</code> on Discord it does not work. Very weird.</p>



<a name="222112490"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222112490" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222112490">(Jan 08 2021 at 19:06)</a>:</h4>
<p>Have you confirmed it's actually resolved to a vulnerable version in <code>Cargo.lock</code>?</p>



<a name="222112565"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222112565" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222112565">(Jan 08 2021 at 19:07)</a>:</h4>
<p>the known version resolution problems are around prereleases</p>



<a name="222113033"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222113033" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222113033">(Jan 08 2021 at 19:11)</a>:</h4>
<p>Okay, I've figured it out. I was confused by Cargo's workspace handling.</p>



<a name="222113128"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222113128" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222113128">(Jan 08 2021 at 19:12)</a>:</h4>
<p>And the report from another user was about a synthetic <code>Cargo.lock</code> generated by <a href="https://github.com/Shnatsel/rust-audit">https://github.com/Shnatsel/rust-audit</a>, which I will investigate separately</p>



<a name="222113142"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222113142" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222113142">(Jan 08 2021 at 19:12)</a>:</h4>
<p><strong>TL;DR: false alarm</strong> and workspace usability issue</p>



<a name="222113153"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222113153" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222113153">(Jan 08 2021 at 19:12)</a>:</h4>
<p>Thanks for the quick response btw</p>



<a name="222115625"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222115625" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222115625">(Jan 08 2021 at 19:34)</a>:</h4>
<p>I suppose now is a good time to push the website refresh button</p>



<a name="222117326"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/cargo-audit%20version%20resolution%20bug/near/222117326" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/cargo-audit.20version.20resolution.20bug.html#222117326">(Jan 08 2021 at 19:51)</a>:</h4>
<p>When roundtripped through JSON via rust-audit, <code>cargo audit</code> does not report this vulnerability. But the TOML does contain the SmallVec entry. <br>
I guess I'll debug it tomorrow, I've filed an issue for now: <a href="https://github.com/Shnatsel/rust-audit/issues/27">https://github.com/Shnatsel/rust-audit/issues/27</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>